Russian Gang's Credentials Theft Exposes Web's Wild, Wild West Side

News that a Russian gang has stockpiled more than a billion purloined user name and password combinations has revved up the Internet's reputation as a post industrial Wild, Wild West.

Just how much havoc will be raised by the gang remains to be seen. The data thieves so far appear content to use their ill-gotten trove for spamming, according to Hold Security, which
announced its discovery of the stolen credential cache last week. Since little is known about the quality of the data -- especially its age -- it may be that spamming is all it's good for.

"If the data is very stale, it would be of less value, but it's a safe assumption that there is some potentially harmful data in the list," Rick Martinez, an attorney with
Robins, Kaplan, Miller & Ciresi, told TechNewsWorld.

The quality and quantity of the data snatched by the gang may be less important than the gang itself and the atmosphere it operates in.

"It's gotten to the point where it's like 1920s Chicago," Tom Kellermann, vice president of cyber security at Trend Micro, told TechNewsWorld.

"You have advanced criminal syndicates that are operating with impunity," he explained.

The Comrades Agreement

In Russia and Eastern Bloc nations generally, governments turn a blind eye to guilds of thieves, as long as three basic rules are observed: Don't hack where you live; pass anything discovered of a national security nature to the authorities; and act in the national interest when requested to do so.

"What I'm worried about is the third rule," Kellermann said, "where the criminals leverage these footprints they're amassing by the hundreds of millions for infrastructure destruction."

Whenever a massive credential theft makes headlines, the use of passwords is rapped -- and for good reason.

"When we use a password, we use the same thing every time," explained Chris Webber, senior product marketing manager for
Centrify, a provider of unified identity services.

"It's like our high school locker combination," he told TechNewsWorld. "If someone knows that combo and our locker number, they can get at our stuff any time. What's needed is something that changes every time."

That's what two-factor authentication does. A new access code is issued to you -- usually through your cellphone -- when you try to log-in to a website from an unusual IP address or with a new device.

Behavioral Fraud Protection

"A better security standard needs to be used across the entire Internet," said Nathan Collier, a senior malware intelligence analyst with
Malwarebytes.

"Some companies have already adopted stronger standards, such asking personal questions when the site is being accessed from unknown locations," he added. "These, and other methods need to be implemented on every website."

Because passwords impose little friction on consumer purchasing, merchants are reluctant to kick them by the side of the road, so the Russian gang's vacuuming operations won't end any time soon. However, there are other measures in the formative stages that promise to foil even the most enterprising credential thief. They include behavioral fraud protection.

Some credit card companies will ring up a customer if their systems detect a large purchase or one from outside the customer's home country. The same principle, but in a more sophisticated way, can be applied to online behavior by systems using Big Data.

"They look at how a user behaves, such as how they type, scroll and interact with a website, so even when a user is being impersonated online, firms can tell that the user is behaving differently from normal and that a user account has been hijacked," Christopher Bailey, CTO of
NuData Security, told TechNewsWorld.

Microsoft Scroogling?

Microsoft seems to relish needling Google about its automated scanning of users' email to find tips to target advertising at them. Microsoft even invented a term for it: "scroogled."

When it comes to child pornography and other objectionable content, though, it seems that Microsoft does some scroogling of its own.

"Child pornography violates the law as well as our terms of service, which makes clear that we use automated technologies to detect abusive behavior that may harm our customers or others," Mark Lamb, senior PR manager with Microsoft's digital crimes unit, told TechNewsWorld.

Lamb's remarks came on the heels of news that a Texas man was arrested for possession and distributing child pornography based on a tip from Google after it uncovered the smut in a routine scan of the man's email.

"Each child sexual abuse image is given a unique digital fingerprint which enables our systems to identify those pictures, including in Gmail," he explained. "It is important to remember that we only use this technology to identify child sexual abuse imagery, not other email content that could be associated with criminal activity."

Breach Diary

Aug. 4. Appthority releases its summer 2014 Appthority App Reputation Report that found 78 percent of the top Android paid apps had at least one major risky behavior, and 87 percent of top iOS paid apps contained at least one of those behaviors, too.

Aug. 5. Restaurant chain PF Chang's releases more details about data breach it reported last month. It said 33 locations were affected over a period of eight months.

Aug. 5. New York Times reports Russian criminals have amassed cache of 1.2 billion user name and password combinations and more than 500 million email addresses.

Aug. 5. Target reports US$148 million loss due to massive date breach last year that compromised payment card and personal information of 110 million customers.

Aug. 6. Online Trust Alliance releases report based on anlysis of 800 top consumer websites and more than 100 million email headers, finding only 8.3 percent of them supported three critical authentication protocols: SPF, DKIM and DMARC.

Aug. 6. FireEye and Fox-IT launch free service to decrypt files scrambled by CryptoLocker ransomware after announcing they'd recovered the private keys and reverse-engineered the engine used by the malicious app to do its dirty work.

Aug. 6. US Investagative Services, which performs background checks for the U.S. Department of Homeland Security, reveals its computer systems breached by what appears to be a state-sponsored attack.

Aug. 7. Yahoo annnounces end-to-end encryption for Yahoo email starting this fall. Google announced a similar initiative in June.

Aug. 8. Russia grants NSA whistleblower Edward Snowden three-year residency permit which alows him to move freely within the country and to travel abroad.